By Gregory Hale
Right now, the water and wastewater sector continues to stand exactly where it has been from the beginning of the digital age: At the broken end of a bottle.

Yes, there are initiatives from the federal government and from various private sector companies to help out, but how many people out there can truly say everyone’s drinking water is safe from an attacker trying to get in and do harm? It is safe to say for an attacker the getting in part is fairly easy. The next is what kind of assurance do we have that when we turn on the faucet, we get safe water to drink?

“Substantial threats have been around for years,” said Padraic O’Reilly, founder and chief innovation officer at software security provider, CyberSaint. “The real fear is if it takes water offline. It has been known for years among CISA and private organizations, bad actors have existed in there. I think now there is a consensus there are nation state actors setting up for wide scale actual interference with critical infrastructure.”

To that end, just last week the Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection conducted a hearing entitled, “Securing Operational Technology: A Deep Dive into the Water Sector.”

Schneider Bold

Expert Testimony
At the hearing, industry experts gave testimony to the threats to water and wastewater ICS/OT systems in the U.S. that have the potential to disrupt operations and pose safety risks and examine the steps needed to secure operational technology in the water sector.

“Water and wastewater systems are vulnerable to a variety of cyberattacks that have the potential to disrupt operations and pose safety risks to the systems’ ability to perform fundamental functions,” said Rob Lee, chief executive and founder of OT security provider, Dragos during his testimony before the house subcommittee. “In over half of our engagements with customers, Dragos encountered issues with ICS/OT network accessibility from the Internet. Using weak or default credentials, which are often publicly available in the vendor’s documentation, for OT devices increases the threat of exposure. Several recent examples demonstrate adversaries exploiting ICS/OT exposed systems.”

Indeed, one of the Municipal Water Authority of Aliquippa, Pennsylvania’s booster stations suffered a shutdown pump after a hack attack in November by an Iranian-backed cyber group.

Matthew Mottes, the chairman of the board of directors for the Municipal Water Authority of Aliquippa, said the cyber group, known as Cyber Av3ngers, took control of one of the stations. An alarm went off as soon as the hack had occurred.

Mottes said the station, located on the outskirts of town, monitors and regulates pressure for Raccoon and Potter Townships and stressed there was no risk to the drinking water or water supply.

The utility shut down the pump and relied on back-up systems to maintain water pressure to its customers.

Along with the pump, the network also connected security cameras.

Responsibility for Attacks
The hacked machine uses a system called Unitronics, which is Israeli-owned software or components. CyberAv3ngers took responsibility for several attacks worldwide, including 10 water treatment stations in Israel as of Oct. 30, 2023, according to their X page.

Another incident was in a North Texas water utility serving two million people suffered a cyberattack that shut down some business operations.

North Texas Municipal Water District (NTMWD) provides wholesale water, wastewater and solid waste management services to more than 13 cities in the state, including Plano and Frisco. The organization detected a cyberattack affecting their business computer network, said Alex Johnson, director of communications for NTMWD.

The November 26 incident came one day after an attack on the Pennsylvania water authority. The cybercrime gang Daixin Team said it conducted the attack.

St. Johns River Management District also suffered a cyberattack in late November that occurred with its information technology environment.

The Palatka, Florida-based regulatory agency that oversees the long-term supply of drinking water confirmed it responded to a cyberattack.

A spokesperson for St. Johns confirmed it “identified suspicious activity in its information technology environment” and “containment measures have been successfully implemented.” The agency does not have direct control over water utility technology.

Florida Water Ransomware Attack
A ransomware gang said it attacked the organization December 2, providing samples of what it stole.

Paris, France’s wastewater system suffered a cyberattack in November.

Service public de l’assainissement francilien (SIAAP), which manages the 275 miles of pipes throughout four departments, said after discovering the November 17 attack, it filed a complaint with the judicial police and National Commission on Informatics and Liberty (CNIL).

“In view of this visibly very structured attack and its consequences on the functioning of the SIAAP, a complaint ended up filed with the judicial police services as well as a declaration with the National Commission for Informatics and Liberties (CNIL),” the company said in a translated statement.

“Water is tricky because it is so distributed,” O’Reilly said. “The authority is so distributed. You have the AWWA, the EPA and there was a lawsuit against them when they required cyber hygiene. In addition, water companies might not have any budget at all to do anything. They have got OT that could be 50 years old. It is a thorny issue with water. I think CISA has the right approach with free tools. AWWA has a great tool online. The reality is we don’t really see change in critical infrastructure unless there is a carrot and stick. This idea that water can stay voluntary forever and stay secure, I think that is overly optimistic.

Old Infrastructure
“If they have end of life systems, they are stuck. That seems to be part of the problem. They are understaffed and then the old infrastructure and a lot of those decisions goes up through state and local authorities, which are not necessarily the most educated on those threats. If there are attacks ready to go and you don’t have the staff and budget, and you have to ask an authority for budget which doesn’t understand the threat, you are bound to have a problem. It has to be an all hands-on deck approach. But still you have got to staff these places a little bit better,” O’Reilly said.

In the wake of all the water incidents that occurred over the years, there is some help for the understaffed and under budgeted water organizations.

To that end, security provider, Dragos launched its Dragos Community Defense Program to provide free OT cybersecurity software for small water, electric, and natural gas providers. The program includes the Dragos Platform and Neighborhood Keeper.

“This is specifically for the Industrial control system environment,” said Dawn Cappelli, director of OT-CERT at Dragos. “This is the platform that people buy from us. It is the platform they can install themselves in their industrial control system environment and it will provide them with asset management and visibility, threat detection. They will be part of something called neighborhood keeper with takes anonymized data and aggregates it so the government, the ISAC, our customers can look and see what is happening in the water sector, the electric sector overall or in a geographic region. They also get access to our Dragos academy training materials, and they get membership in our OT CERT which is another free resource we have been providing to small and medium organizations since 2022.”

Small utilities are critical infrastructure, but have limited resources to defend their systems from cyber threats. Protecting any power and water system – big or small — has become more of a challenge as attackers and ransomware groups target critical infrastructure with sophisticated cyberattacks.

Feds Offer Water Sector Response Guide
In addition, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency (EPA) released a joint Incident Response Guide for the Water and Wastewater Systems (WWS) sector.

With contributions from over 25 Water and Wastewater (WWS) Sector organizations spanning private industry, nonprofit, the document provides incident response best practices and information on federal resources.

The WWS Sector has suffered various cyber events, including unauthorized access, and ransomware. Continued compromises or failures of the WWS sector could cause cascading impacts across critical infrastructure.

It would be easy to say technology is advancing to the point of where it could help protect the water and wastewater sector, but O’Reilly doesn’t think so.

“The technology part is definitely advancing, but people are more important than ever,” he said. “Even though we are doing some amazing technological wonders, you need to have to people to be able to do the right things. We are a long way off from technology being used to solve the problem. It is more a people problem right now.”

Best Practices
O’Reilly added one of the things we can do to help a water plant right now is to teach them what their greatest exposures are.

In addition, he added some other best practices.

“A lot of attacks start with basic protections,” O’Reilly said. “You have to focus on exposures and initial access. The return on security investment you get is by looking at the controls you have and which ones you should prioritize. Look at your top five exposures and the easiest mitigations you have to prevent those. That will get you to the easiest buy down in risk.”


Pin It on Pinterest

Share This